Personally Controlled Electronic Health Records Bill 2011

WARNING:
This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.

House: House of Representatives Portfolio: Health and Ageing Commencement: Sections 1 and 2 on Royal Assent. Sections 3 to 112 on day or days to be fixed by Proclamation or by the later date of 1 July 2012 or the day the Act receives Royal Assent.

The Personally Controlled Electronic Health Records Bill 2011 (the Bill) will establish the framework for a national personally controlled electronic health record (PCEHR) system.

The Bill will also establish the regulatory framework under which the system will operate and a privacy regime which will govern the system, and which will operate in tandem with federal, state and territory privacy laws.

Background

Background information relating to the concept of e health—its definition and development in Australia and overseas—is comprehensively dealt with in the Parliamentary Library’s research paper, The e health revolution—easier said than done. This paper also contains discussion of the development of policy for the personally controlled electronic health system.[1]

E health is defined by the European Commission (EC) as ‘the use of modern information and communication technologies to meet needs of citizens, patients, healthcare professionals, healthcare providers, as well as policy makers’.[2]

Since the 1990s, e health has been increasingly seen by most developed countries as central to the provision of current and future high quality, patient-centred care. In Australia, e health has been assessed as having a number of potential social benefits. These include lessening the experience of isolation for the rural population, keeping an increasingly ageing population out of institutional care and addressing the health inequities experienced by specific groups, such as Indigenous Australians. E health has also been seen as having the potential to reduce unnecessary duplication of services and address escalating health costs.

In 1999, the Howard Coalition Government took the first steps towards implementation of a national e health policy with the establishment of a National Health Information Management Advisory Council (NHIMAC). In collaboration with government and relevant health stakeholders, NHIMAC conceived a plan for e health—Health Online.[3] Launched in November 1999, the main focus of this plan was a series of wide-ranging national action strategies.

One important project undertaken under Health Online was the evaluation of the benefits and difficulties that may be associated with adopting national electronic health records and proposing a strategy for their introduction. The HealthConnect component of the national plan involved a series of trials to determine how a future health information network could function.[4] It also involved the proposal to introduce a Medicare ‘smartcard’ which was to contain information about health consumers such as organ donor status and PBS expenditure data in addition to providing access to standard Medicare services.[5]

The smart card, and a later variant, the access card, were criticised by many who believed they were a threat to the security and privacy of individuals.[6] Other criticisms of the card related to the idea that they may be used for purposes other than that for which they had been intended—that indeed a ‘function creep’ would occur and that eventually the health card would resemble the Australia Card model previously rejected by Australians.

While these concerns were not fully resolved by the time the current Labor Government came to power in 2007, the Government resolved to continue with the development of e health strategies. It commissioned a new investigation into how these could be developed and this study eventuated in the introduction of the current National E-health Strategy.[7]

The National E-­Health Strategy sets out the Government’s intended directions for the development of e health in increments of three, six and ten years and involves four work streams—foundations, solutions, change and adoption and governance.

The Government is working towards implementing the first of these streams, the foundations stream. This involves putting in place consumer provider identifiers, establishment of standards, rules and protocols for information exchange and protection and implementation of underlying physical computing and networking infrastructure for e health.

Health care identifiers

The Howard Government had commissioned initial work on the technical design for a national healthcare identifiers (HI) service which would be provided to Medicare card holders; only weeks after its election the current Government contracted the scoping, design, build and testing of this service to Medicare Australia.

The Government quickly discovered, as had its predecessor, that privacy and the issue of function creep go hand in hand and parallels were once again drawn with the Australia card.[8] The Government responded to concerns by revising the HI Service legislation to state specifically that the use of healthcare identifiers would be limited to functions associated with the delivery of a healthcare service. Use of healthcare identifiers would be underpinned by national privacy arrangements and would entail transparent and accountable governance arrangements and the effectiveness of the HI Service would be evaluated after two years of operation.[9]

The HI legislation passed both Houses of Parliament in 2010.

Personally controlled e health records

The Howard Government was convinced that personal e health records are the ‘cornerstone of all e health initiatives’. The current Government’s first substantial investment in e health appeared to reflect a similar belief. Allocation was made in the 2010–11 Budget of $466.7 million specifically for the purpose of creating a personally controlled electronic health record (PCEHR) for Australians who chose to opt in to the PCEHR system.[10]

The Government released a draft plan in April 2011, the Draft Concept of Operations Relating to the Introduction of a Personally Controlled Electronic Health Records System (Con Ops).[11] This document suggested how the PCEHR system would be likely to look, what information it might contain and how it might function and connect with existing clinical systems. Some comments on the plan claimed that it had been largely developed ‘away from the public gaze and in secret’.[12] However, the Government denied such accusations, but following a period of consultation, it released a minimally revised Con Ops paper on 12 September 2011.[13]

The Government also released a legislative framework paper to support the Con Ops design.[14] This paper considered five areas which it was believed the PCEHR system legislation would need to address—participation, access, privacy, security and governance. It set out proposals in these areas and asked for stakeholder views and suggestions on matters ranging from the role of individuals in setting access control on, and authorising access to their PCEHR, to the types of breaches of access requirements that should attract penalties.

Responses to the legislative framework paper raised similar concerns as were later expressed in submissions commenting on Exposure Draft legislation and which continue to be relevant in the context of the provisions contained in this proposed legislation. These comments will be discussed in the section of this Digest which deals with the Bill’s provisions.

This Bill and the Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 have been referred to the Senate Community Affairs Legislation Committee for inquiry and possible report by 29 February 2012.

Reasons for referral and principal issues for consideration by the Committee have been listed as:

privacy issues/ privacy breaches/ penalties for breaches

security of information on the PCEHR

questions about the design, functionality, and capability of the PCEHR

questions regarding the use of consultants, contractors, and tenders let or hired by the National E-Health Transition authority (NEHTA) in regard to the development of the PCEHR

the level of functionality of the PCEHR at 1 July 2012

questions around the continuation of NEHTA after 1 July 2012

the products that NEHTA designed, made, tested, certified for use in the PCEHR, and

any other issues the Committee considers appropriate.

The inquiry therefore deals with more wide-ranging issues than the scope and operation of the PCEHR as detailed in this proposed legislation. In particular, the inquiry has been tasked with examining the actions of NEHTA in developing the PCEHR. It will also consider the possible ongoing role of NEHTA.

This Digest does not deal with these issues in detail. However, some discussion can be found in the Library’s e health paper, which was referenced earlier. The Digest also makes reference to stakeholder claims that standards, which should be in place to ensure the efficient operation of the system, are either inadequate or do not exist and that NEHTA is attempting to bypass proper process in order to meet the proposed July 1 start date for the PCEHR.

Forty six submissions to the Senate inquiry, which closed on 12 January 2012, were received. Some comment on these submissions is in the section on stakeholder observations later in this Digest.

Detail of the Howard Government’s approach to e health in general and the concept of a personal e health record for patients can be found in the Library’s paper on this issue. Information in Box 2 below is an extract from that paper which considers recent Opposition approaches to e health.

The Howard Government’s early enthusiasm for e health no longer seems to feature in opposition thinking. Indeed, this aspect of health policy appears to be low on the current Coalition‘s agenda. No plans have been released to counter the Government’s approach and the Opposition Leader, Tony Abbott, has vowed to cease funding the PCEHR until federal budgets are back in surplus.[15]

Opposition primary health care spokesperson, Dr Andrew Southcott has, however, proclaimed a commitment to the principle of e health, while decrying past experience which has seen ‘a lot of money wasted’.[16] In this context, journalist Karen Dearne’s assessment is interesting. Dearne argues that as health Minister in the Howard Government, Tony Abbott presided over much of the spending on e health to date and indeed was the creator of NEHTA, often accused of wasting e health monies.[17]

In response to demands from the Australian Medical Association (AMA) that the Opposition provide an alternative e health policy, Dr Southcott has stated that the Coalition is working on an e health plan based on consultation with stakeholders.[18]

More recently, specific criticism surfaced of the Opposition’s ‘lack of a viable alternative’ to the Government’s PCEHR plans.[19] In response, Dr Southcott argued that opposition policy was still in development; the Opposition was in fact focussed on making sure the current Government’s program ‘ran smoothly and on budget’.[20]With regards to this commitment, itshould be noted that the Opposition has raised a number of questions about the PCEHR during recent Senate Estimates hearings, particularly in relation to the matters raised for consideration by the Senate inquiry into this legislation. At the time of writing this Digest, the Department of Health and Ageing has provided answers to most of these questions.[21] Some stakeholders complained, however, that they had relied on these answers being available to inform their submissions to Senate inquiry, but that this was not forthcoming before the final submission date.[22]

Prior to the 2010 election the Australian Greens committed to support initiatives for e health which may be advanced by either a Labor or Coalition Government, ‘as long as strong data security and privacy protections are in place’ and individuals were given control over decisions about access to their records.[23] An election summary of policies noted:

The Greens support establishing an e-health system to enhance patient care, as long as the privacy of healthcare consumers is protected. We supported the Healthcare Identifiers Bill is [sic] last session of parliament which establishes the foundation of a future electronic health record system. The Greens believe that universal data will contribute to reducing the incidence of misadventure, save costs and inform performance across our health system.[24]

Stakeholder comments on e health issues in general, and in recent times, on the design and operation of the PCEHR are many and varied. Some stakeholder views regarding aspects of the PCEHR are discussed in the Library’s paper on e health and are briefly summarised in Box 3 below.

Health information technology consultant, Dr David More, considers one problem with the PCEHR is that it is intended the system will be used by both health professionals and consumers. In More’s view: ‘a system to be used by consumers and clinicians is just a fundamental nonsense. Any system targeting both groups will satisfy neither, inevitably’.[25] More believes the principal e health body NEHTA has also been ineffectual in managing the delivery of e health programs, specifically those relating to the PCEHR.[26]

Opt in

Ian Birks, Chief Executive Officer of the Australian Information Industry Association, is one of a number who have criticised the choice to make the PCEHR opt in. In Birks’ view, this will not deliver consumer engagement, an acknowledged key component of success for e health.[27] The AMA agrees an opt in system is not the best option for the PCEHR. It considers a ‘simpler’ opt out system would be more effective.[28]

Accenture, the organisation awarded the contract to build the PCEHR by the Government, argues that the opt-in model may prove cumbersome and costly; it may drive up costs and it risks a situation where enrolment will not reach critical mass.[29]

The Consumers’ Health Forum, in its submission to the current Senate inquiry, is another group which suggests reconsideration of an opt out model in light of evidence from the experience of other jurisdictions and the interests of consumer control of health information’.[30]

Consumer control

The AMA has consistently noted its opposition to aspects of patient access control of e health records—specifically, the extent to which patients may be able to change medical information on their records. It argues that only medical practitioners should be permitted to contribute medical information to an electronic record to ensure that the information on that record is always from ‘a trusted source’.[31] The Australian College of Health Informatics (ACHI) supports the AMA’s view, making its own point that it is unlikely medical practitioners will trust records that are patient controlled.[32]

At the same time, it can be argued that providing individuals with control over access to their PCEHR may be confronting for health professionals, but it is likely to foster greater patient confidence and acceptance of the system.

Legal issues

Patient control prompts questions about who is responsible for the accuracy, veracity and currency of information in records.[33] Furthermore, it suggests a variety of medico legal possibilities and probabilities, such as with whom ownership of medical records will reside. The medical profession is concerned about a medico legal minefield, and as it appears that the legal ramifications associated with the introduction of the PCEHR have not been sufficiently explored, it may indeed have cause for concern.

Incentives for practitioners

There is an argument that incentives need to be paid to medical practitioners to gain their full support for the PCEHR. The Royal Australian College of General Practitioners has suggested that government investment in change management within practices, training and education of practice staff and implementation of technical systems is necessary.[34] In September 2011 the Health Minister, Nicola Roxon, emphatically rejected introducing incentives, arguing that it is not the Government’s job ‘to fund each and every bit of a general practice or a health practice of any type which is going to constantly update itself and want to keep up with modern technology’.[35]

Privacy

How the PCEHR will ensure that privacy is protected is possibly the most contentious and difficult to resolve issue in relation to the PCEHR. Despite the Government’s assurances that privacy protection and appropriate security are critical aspects of the PCEHR and that a combination of technical, policy, governance and legislative safeguards will be in place to facilitate access only by the appropriate people and prevent inappropriate use of healthcare information, stakeholders continue to be wary of proposals for the PCEHR system.

Experts have also expressed doubts about the proposed system. Graham Ingram, general manager of AusCERT, for example, maintains that the personally controlled electronic health record project keeps him awake at night.[36] Ingram’s concern is that PCEHR records will be available at any time and from any device over the Internet. He argues: ‘If I can view my electronic health record from the Qantas Club or internet cafe, we have a problem. If we can't secure the machines, we can't secure the records’. Ingram suggests that the PCEHR system should only ‘be accessible to citizens at secured terminals, installed at healthcare facilities, Medicare offices, or other institutions where access can be logged and controlled’.[37]

Newspoll research in August 2011 found that 41 per cent of respondents were not confident their details will remain confidential under the PCEHR and health IT expert Terry Hannan warns: ‘The fact that nearly half the population appears to harbour concerns about [PCEHR] trustworthiness foretells a possible enrolment disaster next year, and threatens to turn the system into a white elephant’.[38]

Standards issues

In addition to the issues raised in Box 3, there has been concern expressed by a number of stakeholders, including the Medical Software Industry Association, that technical standards and system interoperability of the PCEHR will be inadequate.[39] Security experts have also expressed ‘alarm’ about whether the system will work, arguing that the technology to guarantee security does not exist.[40] One source, for example, criticised the Department of Health and Ageing and NEHTA for wasting ten months and $200 million to produce ‘nothing’ in the way of standards.[41] A report by Direkt for NEHTA released in May 2011 was also critical of the progress NEHTA had made in developing essential standards.[42]

In response to this type of criticism NEHTA announced the establishment of so called internal ‘tiger teams’ which were intended to produce technical standards by mid-November 2011 so there would be time for a Standards Australia review before the PCEHR commenced operation. The approach was labelled risky and a panic response by the chairman of one standards committee. This source claimed that while Standards Australia and other national bodies follow a tedious and slow process governed by the International Standards Organisation, the alternative of not conducting a rigorous assessment was worse.[43]

On 17 November 2011 NEHTA released a specifications and standards plan for software vendors. The plan outlined the timeframes and process for the release of standards for the PCEHR. To coincide with the plan, specifications for the PCEHR Event Summary document were published. NEHTA announced that specifications for other PCEHR components, including Discharge Summaries, would be progressively released. According to NEHTA, the plan was informed by feedback from software developers and implementers and the standards development community, as well as consultation on the Concept of Operations document and lessons from e health test sites.[44]

In December 2011, however, the Australian reported that the tiger teams process was ‘in disarray, following delays in finding volunteers and the late release of thousands of pages of both old and new documentation still to be pulled into shape as useable specifications’.[45]

In light of such delays in the critical process of establishing and deploying infrastructure for the PCEHR system, Dr Ian Colclough’s submission to the Senate inquiry echoes what it appears a number of other stakeholders have been thinking—the basic components of the PCEHR are far from ready to be deployed.[46] Colclough has suggested in fact that ‘more work needs to be done before a national rollout of an untried and unproven PCEHR system is permitted to proceed’ and that the passage of this Bill is ‘premature’.[47]

The submission to the Senate inquiry from the Medical Software Industry Association (MSIA), whose members include Cerner, Cisco, iSoft and Microsoft, added its criticism to Dr Colclough’s concerns about the issue of PCEHR readiness. MSIA effectively delivered what has been labelled a ‘scathing criticism’ of the handling of the e health record project.[48] It was particularly disparaging about NEHTA, claiming that while there was much ‘trumpeting’ about the release of the vendor portal launched in November 2011, there were a range of system useability issues which NEHTA had not addressed.[49] These included that documents which developers were expected to use were out of date or not final, as well as numerous other examples of ‘poor planning, failure to complete to deadlines and a range of other unacceptable behaviour that contravene normal Australian business practices’. In MSIA’s view, this did not inspire the confidence of soft ware vendors.[50]

Prior to publication of the MSIA submission, in late January 2012 NEHTA announced postponement of the implementation of primary care desktop software development at a number of trial implementation sites. According to NEHTA, the decision was prompted after technical incompatibilities were identified in internal checks which occurred after the November release of specifications.[51] And while NEHTA, DoHA and the Government continue to stress 1 July as the key implementation date for the PCEHR, this delay may be the first in a number of similar setbacks, should claims such as those made by MSIA be proven to be correct.[52]

Ian Colclough’s comments are worth noting in this context:

Standards Organisations cannot expect the standards they are proposing will be readily adopted until the Standards Organisation can prove that the proposed standards will work and, equally importantly, that they can be implemented successfully before being formally designated as a ‘Standard’.

This raises some very important commercial and strategic considerations for health software vendors and for NEHTA. Who should ‘carry the risk’ of proving that the intended standards being developed and then recommended can be implemented and will work?

The complex nature of the healthcare environment dictates that standards must be allowed to evolve over time and not be enforced in the form of an ultimatum for all and sundry to adopt. It should first be proven that the proposed standards work in a controlled live environment and, as such, are acceptable to the vendor community.

Only then is it reasonable to consider the implications of subsequently mandating the standards and exploiting market forces to drive their uptake; perhaps through the use of certification and accreditation procedures.

Consequently, mandating standards prematurely should be avoided if at all possible. A more pragmatic and less risky approach is to create a collaborative environment which is conducive to allowing standards to evolve; an environment which is based on consensus and in which the ‘healthICT’ vendor community is closely involved. This needs to be done in a way which sensibly supports health software vendors who work at the coalface delivering solutions.[53]

In addition to the comments noted above, a number of general comments on e health and on the PCEHR proposals were made to the Senate Community Affairs Committee inquiry into this Bill and a related consequential amendments Bill.[54] Some of these are noted in this section.

The Australian Privacy Foundation (APF) expressed considerable angst that, in its view, it had not been able to engage in meaningful consultation with the Department of Health and Ageing (DoHA) and NEHTA, despite ‘systematic and transparent’ attempts to do so over several years.[55] In light of this situation the APF saw this Bill as ‘disappointing’. It listed a number of complaints including:

poor governance arrangements under which ‘[m]otherhood statements and general governance principles are documented without any form of operationalisation ‘. Specifically, the APF was concerned that government agencies ‘will steward all information’ stored in PCEHRs and that there ‘are no complaints mechanisms embedded in the Bills’

an ‘unseemly rush’ to ‘retrofit’ international system standards to Australian PCEHR architecture. The APF considers this will make it create an ‘island Australia’ in which businesses and consumers are unable to interact with other countries, and

Government and other agencies are ‘devoid of responsibility for adverse health errors, stolen or misused data from centralised databases and practitioner ICT systems’.[56]

In light of the APF’s comments, it should be noted that DoHA commissioned law firm Minter Ellison to review the privacy aspects of the PCEHR with the intention of achieving an ‘appropriate balance between the competing interests of access to health information and minimising any unnecessary and avoidable privacy intrusions’.[57] The Minter Ellison report, published in November 2011 contained 112 recommendations, of which 95 were accepted either in full of in part.[58] In terms of governance, it should be acknowledged that many of the recommendations in the report provide a potential basis from which subordinate legislation through regulations can address at least some stakeholder concerns.[59]

The Australian Psychological Society (APS) has raised concern that while the Concept of Operations outlined an ‘effective removal’ records option under which consumers could delete or restrict access, it is not clear if the PCEHR will then still contain a reference to the removed item. From discussions with NEHTA and other bodies the APS believes also that ‘despite their removal, effectively removed records can still be obtained from the System Operator by the consumers or even under court orders’. In other words, the removed records are still archived by the System Operator.[60] As details of this option will not be known until rules and regulations are made, the APS has called for clarification. However, as the APS also points out, this is an important privacy aspect which many would consider should not be left to supplementary legislative instruments.

As is noted throughout the section which discusses the provisions in this Bill, many of the submissions to the Senate Inquiry and to previous public consultations have expressed serious disquiet about the lack of detail provided in the legislation. Aged and Community Services Australia (ACSA) has remarked that rules and regulation have not been drafted, so they may vary over time, ‘yet they are to contain significant particulars of the PCEHR system’. Until the rules are drafted, ACSA continues, aged care providers (and indeed, all providers and consumers alike) ‘cannot know conclusively whether they will be even able to fulfil the requirements to participate in the PCEHR system ’.[61]

The Australian Osteopathic Association has been equally concerned that so much will be left to subordinate legislation. It has specifically requested that the Senate Committee inquiry ‘require’ DoHA to disclose details so that interested parties can assess how the PCEHR system will actually operate.[62]

Certain professions are anxious about the financial burdens implementation of the PCEHR will place on them. They see themselves as bearing increased infrastructure and business costs without support or incentives from government and maintain that as a result the effectiveness of the system will be diminished.[63] Similarly, at least one hospital provider is uneasy about the financial risks it will incur ‘in the hope that by enabling hospital technology systems to utilise the potential benefits of the electronic record, sufficient clinicians and consumers will themselves voluntarily utilise the record’.[64]

As noted in the Parliamentary Library paper on e health, University of Sydney surgery professor, Mohamed Khadra, has described the $467 million allocated for the PCEHR as ‘a drop in the ocean’.[67] It has been recently reported also that healthcare organisations, medical providers and the software industry are sceptical about Government commitment to providing financial support for e health in general.[68]

This Bill consists of eight parts. The Explanatory Memorandum discusses each of these parts in considerable depth. The following section discusses provisions in the legislation that have raised, or may raise future concerns with stakeholders. The section refers to submissions received to the Government’s Exposure Draft of the PCEHR legislation and to those received in response to the referral of this Bill to the Senate Community Affairs Committee for investigation.

The Exposure Draft of the PCEHR Bill was released by the Government on 30 September 2011. Fifty one submissions were received to the Exposure Draft and these were consulted in preparing the current Bill. Some submissions to the Senate inquiry note that the current Bill has taken into consideration certain suggestions made to the Exposure Draft. For example, the Office of the Australian Information Privacy Commissioner acknowledges that the PCEHR Bill now includes that one of the functions of the operator of the system is to educate consumers and other participants among other additions to the Exposure Draft.[69]

As well as addressing issues raised in submissions to the Senate inquiry this Digest refers to a number of issues which were raised in the Exposure Draft and which appear not to have been addressed in the current legislation.

Part 1—Preliminary

This part states the title of the proposed legislation, deals with commencement and the object of the Act and provides a simplified outline of the proposed Act before considering a number of definitions to be used in the PCEHR system.

Healthcare and nominated healthcare provider

Part 1 clause 5 defines a series of terms and phrases used in the legislation. These include the definition of a PCEHR and the PCEHR system. Reponses to the Exposure Draft elicited no substantial objections to the majority of definitions in clause 5. However, one response from Medibank considered that the definition of healthcare in the Exposure Draft was too limited. Medibank suggested that the legislation would be improved by the inclusion of a reference to the prevention of diseases, injuries or conditions. Similarly, the definition appeared to exclude instances such as some treatment affecting fertility under the definition of healthcare.[70] As the Explanatory Memorandum points out, many of the terms defined in the Bill are aligned with the Healthcare Identifiers Act 2010 and the Privacy Act 1988.[71] The definition of healthcare which Medibank found wanting is one such definition.

There has been some issue also with the definition of healthcare provider in clause 5. The legislation defines a healthcare provider as an individual healthcare provider or a healthcare provider organisation, but the Australian Privacy Foundation (APF) finds this inadequate, as does the Pharmacy Guild of Australia.[72]

By far the most controversial of the definitions in the Bill has related to which health professionals will be recognised as nominated healthcare providers. The Bill proposes in clause 5 that medical practitioners within the meaning of the National Law, nurses within the meaning of the National law and certain categories of Aboriginal and Torres Strait Islander health practitioners within the meaning of the National Law are the categories of practitioners specifically eligible for recognition. Individuals, or an individual included in a class, may later be prescribed by the regulations, but some groups have argued that additional categories should be added to the definition. The Australian College of Midwives considers midwives should be one of these categories because of ‘the enduring therapeutic relationships’ midwives have with women for the course of their reproductive life cycle.[73] The Pharmaceutical Society of Australia recommends that the category be expanded to all nationally registered health professions.[74] The Pharmacy Guild of Australia argues that pharmacists are ‘frontline’ contacts for patients and so well placed to be nominated healthcare providers.[75] The Australian Osteopathic Association believes the Bill as it stands diminishes the professional standing of many health practitioners.[76]

Details are again not clear about who will ultimately be eligible as a nominated healthcare provider—the list may remain restricted or there may be ‘open slather’, depending on the regulations. There is the danger that patient privacy could be jeopardised if too many groups are able to create and maintain shared health records and it could be argued that this is the reason a core group of practitioners has been identified in the legislation. At the same time, there should be concern that regulations may later provide indiscriminate access to records.

One further issue in relation to the nominated healthcare provider is the AMA’s call for remuneration to be provided to medical practitioners for using the PCEHR. The AMA argues this will provide some compensation to these practitioners for the risks, costs and challenges they will incur in creating and maintaining shared health records, ‘for free’.[77]

Authorised representatives and nominated representatives

Clause 6 sets out and defines the concept of authorised representative of a consumer proposed under the legislation. The Explanatory Memorandum describes an authorised representative as a person who ‘will be able to register a consumer for a PCEHR and manage the access controls of the PCEHR on behalf of the consumer’.[78]Clause 7 defines a nominated representative of a consumer. A nominated representative essentially differs from an authorised representative in that the role undertaken is more informal and a consumer can still retain access control of his or her PCEHR. The Explanatory Memorandum provides a detailed discussion and examples of how these concepts will apply to those under and over the age of 18 years.

Clauses 6 and 7 have raised some concern. Subclause 6(3) provides that the entity which is to be responsible for creating and administering the PCEHR, the System Operator, can decide if a person under the age of 18 years is capable of managing his or her own PCEHR. MDA National Australia has questioned if a System Operator would be actually able to determine if persons under the age of 18 years are capable of making decisions, given the inconsistency in laws which exist across the states and territories.[79] Further, MDA asks if a System Operator of any kind should have the power to decide if a person is capable of making these types of decisions. In MDA’s view, such decisions are more appropriately in the hands of a medical practitioner. On the other hand, it should be noted that a medical practitioners is not involved in the decision to award a Medicare card to a young person 15 years or over who applies for one. This decision is an administrative one made by Medicare once appropriate identification is produced.[80]

The Australian Dental Association (ADA) has also expressed concerns about minors’ ability to manage their own health records. The ADA believes allowing minors even graduated control over their PCEHR may create a precedent which could have unintended consequences. It considers there are considerable risks that health practitioners may not receive adequate and relevant information to enable them to provide effective care if minors are given this type of control.[81]

There has also been concern expressed about the processes by which the System Operator will be ‘satisfied’ about the appropriateness of persons to act as authorised or nominated representatives or whether a consumer is capable of making decisions about his or her PCEHR. A joint submission to the Senate inquiry from Aged and Community Services (ACS) and the Aged Care Association of Australia (ACAA) pointed out some difficulties with the term. The legislation is silent, for example, on ‘the process or threshold of the relevant satisfaction’ and other important details, such as ‘when satisfaction might lapse’.[82] Similarly, this submission questions the level of informed consent required, how consent is to be obtained and what occurs if consent is withdraw or lapses due to incapacity.

It can be assumed that these processes will be articulated in rules and regulations which will be able to be made under clauses 109 and 112. However, there is no certainty that this will be included in the rules and/or regulations. Nor is it certain that a rule and/or regulation will be made in this instance, as clause 109 states only that the Minister may make rules relating to various aspects of the operation of the PCEHR system. Clause 112 states that the Governor–General may make regulations prescribing matters to carry out or give effect to the Act (once enacted).

The Victorian Minister for Health, David Davis, in his submission to the Exposure Draft Bill noted that the Bill referred to proposed regulations in ‘multiple places’ and that there was an indication of ‘known’ areas where rules were likely , but there was ‘ no detail of their content’.[83] Minister Davis rightly identified that the PCEHR Rules would be ‘crucial to understanding the impact of implementing the PCEHR and its ongoing operation on existing clinical processes’. At the same time, however, Davis considered it appropriate that the rules were not enshrined in core legislation.[84] From the tone of many submissions to the Exposure Draft, it appears that this is not generally the view of stakeholders.

In the view of the APF, clause 11 is also problematic. This clause states that the Crown is not liable for prosecution or pecuniary penalties for offences under the legislation. The APF believes the clause absolves governments and their agents from any responsibility for the handling of personal clinical information.[85] The Explanatory Memorandum counters, however, by noting that this type of clause is common in Commonwealth legislation and its existence does not mean that the Crown is exempt from sanctions:

If the Crown in any of its capacities does not comply with its obligations under this Bill, other remedies are potentially available. For example, it may be subject to a declaration or injunction, investigated by the Information Commissioner under the Privacy Act, investigated by the Ombudsman, subject to Parliamentary scrutiny or subject to claims for breach of statutory duty. Further, while the Crown may have immunity in certain regards, the employees and contractors of the Crown will not necessarily have any such immunity. Finally, nothing in the Bill prevents an individual who suffers loss or damage from seeking to recover that loss or damage from the person who caused it.[86]

Part 2—the System Operator, advisory bodies and other matters

Part 2 of this Bill sets out the proposed governance arrangement for the PCEHR system. This part establishes the System Operator and two advisory bodies—the Jurisdictional Advisory Committee and the Independent Advisory Council. Part 2 also set out the function of the Chief Executive Medicare in relation to the PCEHR.

System Operator

There has been considerable concern expressed about the identity and role of the System Operator. While the legislation provides under paragraph 14(1)(b) that once the PCEHR is operational that a new body may be established and prescribed in regulations to act as the System Operator, at least initially it is intended that the role will be assigned to a bureaucrat—the Secretary of the Department of Health and Ageing. In its response to this situation as described in the Exposure Draft, the Pharmacy Guild of Australia expressed concern:

... the appropriate governance framework [for the System Operator] is yet to be determined and that the Secretary of the Department of Health and Ageing will fulfil the role. Governance of such an important system should not [emphasis in original]be vested in a single person who may or may not choose to follow the advice from the Jurisdictional Advisory Committee and the Independent Advisory Council.[87]

This view was echoed in a number of submissions to the Exposure Draft, although at least one submission to the current Senate inquiry ‘understood’ the difficulty in establishing an independent System Operator initially.[88]

In contrast to the concern expressed by stakeholders about bestowing significant control over personal information on a bureaucrat, the Explanatory Memorandum argues that having the Secretary of the Department of Health and Ageing as the System Operator will ensure accountability and transparency.[89] In addition, the arrangement will deliver a smooth transition from arrangements made to accommodate the PCEHR ‘system build’ and provide coordination for jurisdictional and stakeholder involvement.[90]

The Explanatory Memorandum notes also that it is intended that discussions will continue with states and territories with regards to the development of ‘an inter-jurisdictional national e-health body’.[91] The establishment of such a body may indeed allay the concerns of critics, but while it remains only a possibility and the situation exists where a bureaucrat is entrusted with what for many seems excessive control over the PCEHR system, it seems unlikely that these objections will cease. In addition, at least one stakeholder is concerned that consultations about an alternative system operator body may only take place between the federal and states and territory governments, without for example, reference to input from Indigenous people.[92]

Limitations on the functions of the System Operator under clause 15 appear to be of minor concern. Primarily, as David Davis notes, paragraph 15(b)(0) provides that a function of the System Operator is to do anything incidental or conducive to the performance of any of the functions listed in the clause. Davis assumes that this function has been deliberately made broad ‘to prevent a narrow or literal interpretation’ from hampering the operation of the PCEHR system, and that the expansive scope of the statement could be reconsidered.[93]

On the other hand, the broad nature of the System Operator’s powers, as noted by Davis, has caused considerable disquiet. Clause 16 requires the System Operator to have regard to advice and recommendations made by a Jurisdictional Advisory Committee and an Independent Advisory Council. A number of submissions to the Exposure Draft pointed out that this requirement does not include a direction for the System Operator to take that advice. As a result, some groups, such as the National Aboriginal Community Controlled Health Organisation (NACCHO), believe:

... the ‘unlimited power of the System Operator is a potential threat to the integrity of the PCEHR. By allowing the System Operator to take advice, but not be required to act on that said advice, it allows for the System Operator to be negligent and dismissive of potential issues arising.[94]

The Office of the Australian Information Commissioner (OAIC) submits also that it is not sufficiently clear whether any future System Operator will be subject to the Privacy Act.[95] The OAIC notes that while the Explanatory Memorandum states that this will be the case, ‘there is no corresponding provision in the PCEHR Bill’; further, that it is intended the OAIC will provide comprehensive privacy oversight and that this will be achieved by establishing the System Operator as an ‘agency’ for the purposes of the Privacy Act. However, the OAIC recommends that this is specifically stated in clause 14.

The Explanatory Memorandum makes no attempt to justify the System Operator’s powers, simply noting that advice and recommendations from the advisory committees and the System Operator’s subsequent decisions ‘may be made public to provide for public scrutiny and transparency’.[96] There is no guarantee, however, in either the Explanatory Memorandum or the legislation, that advice and/or decisions will actually be made public.

In addition, the Explanatory Memorandum advises that the System Operator and its advisory bodies may draw on expert advice ‘as appropriate’ and that this includes advice from the Australian Information Commissioner in relation to privacy matters.[97] But yet again, there is nothing in the actual legislation which requires the System Operator to do so. The question could be raised therefore about whether the Information Commissioner should in fact be mentioned in the legislation in this instance. Additionally, with regards to the powers of the Information Commissioner in general, it could be asked if these should be more formally elaborated upon in the legislation, rather than being obliquely referred to for the most part throughout the legislation with reference to the Privacy Act 1988 (the Privacy Act).

In both its submissions to the Exposure Draft and to the Senate inquiry, the Australian Psychological Society points out also that it is not clear in the legislation to whom consumers can turn when they have issues or complaints against the PCEHR System Operator. Clause 97 states that decisions made by the System Operator will be subject to merits review and the clause lists to what types of decisions this would apply, but it does not make reference to complaints about the System Operator itself.[98] Its submission to the Senate inquiry adds that there should be a one stop shop for all complaints about the system. In addition, the Senate submission considers efficient ‘operational infrastructure’ for the PCEHR requires that a cross agency committee, which consists at least of representatives from DoHA, the Department of Human Services and the Department of Broadband Communications and the Digital Economy, is set up.[99]

Advisory committees

Global information security company, Giesecke and Devrient, consider in particular that if the Secretary the Department of Health and Ageing continues as the System Operator, there is a clear requirement for ‘strong and wide ranging powers’ to be granted to both the Jurisdictional Advisory Committee and the Independent Advisory Council.[100]

The Royal Australasian College of Surgeons (RACS) submission to the Exposure Draft focussed on the issue of the independence of the Independent Advisory Committee, suggesting that the Department of Health and Ageing would have considerable influence over clinical advice provided to the Committee and that this would affect its ‘rigor and effectiveness’.[101] According to RACS, this was a long way from the governance principles articulated in the Government’s legislative issues paper.[102] These principles were those first articulated in the National E-Health Strategy—accountability, transparency, appropriate stakeholder representation, sustainability, support for activity at multiple levels, effective leadership and coordination and balancing local innovation and national outcomes.[103]

The Consumers e-Health Alliance (CeHA) proffered a solution to improve governance which entailed the Independent Advisory Council providing advice to the Minister, rather than the System Operator. CeHA sees this approach as maintaining a necessary separation between the ownership and operation of the PCEHR, while at the same time delivering a ‘continuum of community engagement’.[104]

There are likely to be further questions about the composition of the Independent Advisory Committee as proposed in this Bill. The Health Consumers Council (HCC) was unhappy with the provision in the Exposure Draft that one knowledge requirement for each member of the Independent Advisory Council was that of ‘consumers’ receipt of health care’. The HCC called for this to be changed to require that an independent consumers’ representative; that is, a representative not associated with a healthcare provider, was a member of the Council.[105]

While the HCC is likely to be pleased that under the proposed legislation three members of the Council must have ‘experience in or knowledge of consumers’ receipt of healthcare’, it is likely still to note that there is no specific requirement for any of these to be independent of healthcare organisations or providers.[106] Moreover, this group and others may also be concerned about the lack of specificity with regards to the experience and/or expertise of Council Members across a broad spectrum of areas ranging from law and privacy to health informatics and information technology (clause 27(2)(b)). The Australian College of Midwives, for example, argues that places on the Independent Advisory Council should be allocated to registered nurses and midwives because no profession is able to speak for others on matters outside its scope of practice and this will occur unless nursing is specifically represented.[107]

The Aboriginal Medical Service Alliance of the Northern Territory (AMSANT) was not convinced that the needs of Aboriginal people will be best served by the state and territory representatives appointed by health departments. AMSANT noted that many aboriginal health services ‘have continued issues with their respective state and territory health departments, [so] to have representation exclusively by them would serve only to repress their needs’.[108]

The Australian Medical Association suggested that the System Operator could be made more accountable if a requirement were included in legislation that advice provided by the Jurisdictional Advisory Committee (and it could be argued the Independent Advisory Committee) must be published on the System Operator’s website within ten days of that advice being provided to the System Operator. Further, that the System Operator’s reasons for accepting or not accepting that advice should also be published on the System Operator’s website within ten days of a decision being made.[109]

The Consumers Health Forum has since expressed its concern that the System Operator is under no obligation to accept recommendations from the Jurisdictional Advisory Committee and the Independent Advisory Committee. CHF called for a requirement for the System Operator to provide a rationale for any decision not to accept recommendations for the advisory committees to be included in the legislation.[110] The Aboriginal Medical Service Alliance of the Northern Territory is of a similar view. It recommends that the System Operator should ‘have a unilateral agreement between itself and the two independent advisory groups before initiating any significant actions that may affect health outcomes’.[111]

Part 3—Registration

Part 3 of the proposed Bill sets out the eligibility criteria for registration for participants in the PCEHR system. It also sets out obligations which the System Operator must fulfil in the registration process and the obligations of participants in the system.

Voluntary registration

A number of issues have been raised in conjunction with the proposed registration requirements in the Bill. Clause 39 indicates that registration for the PCEHR will be voluntary; no consumers who choose to ‘opt out’ by not registering will be denied access to healthcare services and medical benefits, as long as they comply with eligibility requirements. This voluntary nature of consumer registration prompted Epworth Hospital to argue in its submission to the Exposure Draft that there can be no uniform national PCEHR system unless consumers are denied any ability to opt out of the system.[112]

Pseudonyms

A contentious issue has been whether registration by pseudonym will be allowed under the PCEHR. The Explanatory Memorandum confirms that clause 40 will allow consumers to register using a pseudonym, if they have obtained a pseudonymous healthcare identifier from the Healthcare Identifiers Service.[113] The Office of the Australian Information Commissioner (the Information Commissioner/OAIC) supports giving individuals the clear option to transact pseudonymously to protect their privacy, where this is lawful and practicable.[114]

At the same time, other organisations are opposed to registration by pseudonym. The ADA believes there is potential for pseudonyms to be misused fraudulently.[115] The Australian Nursing Federation has also been opposed to allowing the use of pseudonyms on the grounds it may lead fragmentation or duplication of healthcare records and documentation errors and duplication of health information.[116] The Royal Australian and New Zealand College of Psychiatrists calls the proposal ‘potentially dangerous’ because it may mean medical practitioners only have access to incomplete records. This college suggests that some alert must be in place to warn practitioners and to allow them to refuse to treat patients ‘they conscientiously believe they cannot help adequately’.[117]

Other consumer registration issues

A number of other issues have been raised in relation to consumer registration. These include what are seen as omissions in the registration process. The Office of the New South Wales Privacy Commissioner argues that registration as specified under clause 39 should have provided for a trans‑gender category, for example.[118] Further, David Davis expresses concern that registration processes specified under clause 40 may not sufficiently identify consumers who will possibly be able to register online or by telephone.[119] The ADA also notes its concern about the lack of personal identification required to release personal medical records and to establish a PCEHR for consumers. The ADA considers that the identification required before a consumer is registered in the PCEHR system should be at least consistent with that which is needed when people apply for a Medicare Card, drivers licence or a passport.[120]

AMSANT has called for more accommodation of the needs of Aboriginal people in the registration process through the provision of adequate translation services to ensure privacy is not compromised.[121] While no submission made the point, it could be argued that this issue would be equally applicable to persons of non-English speaking background.

The Explanatory Memorandum argues there is provision in the proposed Bill for regulations to be made which will be able to deal with such issues (paragraph 40(b)(v)).[122] The Explanatory Memorandum lists a number of matters that may be addressed in PCEHR Rules and the types of documentation required for registration for example. Whether these matters are resolved by the regulations, however, does depend on what is contained in those regulations.[123]

In at least one instance, it has been suggested that regulations may prove inadequate. South Australia Health points out issues in relation to the registration of new born infants, quoting the Government’s Concept of Operations document which concedes that these consumers may not have a verified healthcare identifier and that alternative processes will be put in place to deal with this situation. This is not addressed in the legislation and indeed, South Australian Health suggests that the note to clause 41 which prevents the System Operator from registering a consumer in circumstances other than those cited in the clause may not permit the registration of newborn infants under the PCEHR system.[124]

Davis points out also that clause 41 requires the System Operator only to decide to register a consumer; rather than that it must register a consumer who satisfies registration eligibility.[125] Clauses such as this therefore give the System Operator a considerable amount of discretion and while again it may be that the regulations will deal with these types of matters, it remains that this language is embedded in the legislation and equally it is not clear what exactly will be in the regulations.

Registration of healthcare providers

Comments on Divisions 2, 3 and 4 of Part 3, which deal with the registration of healthcare provider organisations, appear to have elicited less comment than conditions relating to the registration of consumers.

A general comment by Medical Software Industry Association (MSIA) is worth noting. The MSIA considers that it is critical healthcare providers and organisations are made aware of rules of operation for all parties from the outset. But at present there are only statements about what rules may be made by the Minister, so uncertainty exists with respect to storage, administration and participant requirements; all essential aspects of governance.[126]

The MSIA saw paragraph 45(c), which provides that organisations must not upload records that could infringe copyright, as problematic. The MSIA considered:

This could be a hard call for a registered nurse or exhausted health professional not trained in intellectual property. The only safe course would be to err on the side of caution and not share the information which could prove useful to the care team and improve the health care of the consumer.[127]

It recommended clarifying the clause. This could occur, for example, if the creator of a record noted copyright in that record and if there was an intention to allow or disallow it to be shared within the PCEHR.

The Insurance Councilof Australia believed clause 46, which requires healthcare providers not to discriminate against those not registered under the PCEHR system, may in fact prohibit practitioners from refusing treatment on legitimate grounds. The Council called for clarification of this provision, so that practitioners will not be inadvertently affected. In a similar vein, the Royal Australasian College of Physicians (RACP) commented:

Consumers may experience differences in their care because they have concealed relevant information because of the nature of the information that has been concealed rather than the mere fact they have concealed information. Thus, a person who conceals the information that they have diabetes may not receive healthcare aimed at managing the condition, including complications.[128]

RACP suggested that it was made a condition of registration that a healthcare provider does not refuse to provide healthcare to a registered consumer only because the consumer has set particular access controls on his or her PCEHR.[129]

Storage of records

Paragraph 48(c) which intends to require repository and portal operators to locate the central management and control of their services in Australia at all times the operators are registered, has attracted some comment. The Office of the Australian Information Commissioner (OAIC) welcomed the proposed requirement as stated in the Exposure Draft.[130] The OAIC also supported the requirement (under clause 77) that records held by these operators (and registered service providers and the System Operator) for the purposes of the PCEHR system, (whether or not the records are also held for other purposes), must not be held or taken outside Australia. OAIC believed that storing and processing health information in other jurisdictions may reduce the security of this information and limit avenues for redress in the event information was misused or mishandled.

A joint submission from Records and Information Management Professionals Australasia and the Australian Society of Archivists on the Exposure Draft was equally supportive of records being located within the geographical boundaries of Australia, so that local privacy and other legislative regimes will apply.[131]

The Microsoft submission to the Exposure Draft argued on the other hand that healthcare information stored in a PCEHR will not necessarily be better secured and protected simply by virtue of data being held within Australia. Microsoft considered the exclusion of storage repositories and portals located outside of Australia will prevent many well-credentialed corporations from providing services to healthcare consumers in the PCEHR system.[132]

In the context of this discussion it should be noted that not every state in Australia has privacy legislation. South Australia, for example, does not currently have a state-based privacy statute. However, the South Australian government has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles. Similarly, there is no legislative privacy regime in the public sector in Western Australia. In that state, various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA).[133]

Privacy issues were raised by MSIA in relation to what now constitute a number of clauses in Part 4 of the proposed legislation. Clause 50 provides that registered repository, portal or contracted service providers must provide information included in the PCEHR of a consumer if requested to do so by the System Operator. As there are no rules to clarify this provision the MSIA argued that it may be possible that situations occur ‘where consumers would not have provided the information if they had been aware this was a possibility. This would not therefore constitute truly informed consent and could pose a serious threat to privacy’.[134]

Clause 57 requires that the entries made in the Register to be established by the System Operator can include ‘such administrative information as is necessary for the purposes of the proper operation of the PCEHR system’. In MSIA’s view, this is an ‘unduly open’ clause which could have an impact on privacy. Therefore, the type of information to be recorded requires specification from the outset.[135]

Part 4—collection, use and disclosure of health information included in a registered consumer’s PCEHR

Part 4 of this Bill describes the uses for which information relating to a PCEHR can be collected, used and disclosed. This part also deals with civil penalties that may be imposed if information is collected used or disclosed recklessly.

Clarification of terminology

The AMA was uncertain of the difference between the terms ‘access’, ‘collection’ and ‘use’ in this part, and sought clarification.[136]

Civil penalties issues

The Victorian Health Minister viewed the civil penalty scheme elaborated upon in the Exposure Draft with concern. In his opinion it captured conduct which ranges from that which was serious and may warrant criminal sanctions to very minor infringements which should not attract significant penalties (clauses 59 and 60).

On the other hand, the APF viewed the civil penalties as ineffective, given that a person who breaches the PCEHR must be proven to be reckless and knowingly so in the use and disclosure of information. The APF asked, seemingly with tongue in cheek, what penalties would apply in the context of unintentional breaches of community information. It suggested such penalties could include, but not be limited to, compensation to the aggrieved parties or the availability of class action in the case of major breaches.[137]

Disclosure and control

The OAIC in particular made extensive comments on use and disclosure clauses in the Exposure Draft. Importantly, the OAIC endorsed the emphasis placed in the legislation on individual control of consumers’ health information. This continues to be a focus in this Bill, for example, (under paragraph 61(1)(b)(i)). According to the OAIC, ‘it is important that individuals are able to choose whether to have a PCEHR, and if they choose to have a PCEHR, that they are able to choose what information will be included and who will have access to it, to the extent practicable’.[138]

Further to the OAIC’s comment, Dr Rod Phillips from the Royal Children’s Hospital is unhappy that while adults can choose to open a PCEHR, they cannot choose to delete it fully or partially. Phillips believes that if people are given an option to delete information permanently after a ‘cooling off’ period that there will be more consumer acceptance of the PCEHR. The same ability option is even more important for children Phillips believes.[139]

In opposition, and as noted in the Parliamentary Library paper on e health, the Australian Medical Association (AMA) has been highly critical of the intention that consumers would retain control of their e health records. The AMA considers patient control sets a ‘very dangerous precedent that could undermine all the potential benefits of an electronic health record’.[140]

Additionally, the ADA has argued that if consumers are worried about sensitive information then they should not ‘opt in’, but those who do so should not have the ability to withhold selected information, as this will compromise the integrity of the record and not deliver envisaged improvements in patient care.

It is absolutely essential the practitioners who have access to PCEHRs have confidence that the record is complete and can be used to influence clinical decisions. If practitioners lose confidence in the PCEHR System (due to consumers making decisions as to what health information to disclose – creating the risk that medically relevant information is omitted from health practitioner’s clinical assessments), they will stop using it and it will fail.[141]

The ADA considers that if the legislation is not changed and practitioners are forced to rely on records that may be incomplete, then a provision must be included to indemnify health practitioners from any liability arising from their reliance on consumers’ PCEHRs.[142] Medical Defence Organisation, Avant, submitted it was similarly concerned about the effect of consumers choosing to exclude or limit practitioner access to health information. Avant’s solution was that the System Operator should be required to inform practitioners if limitations were on consumer records.[143]

Another issue of concern in relation to clause 61 involves a situation where no controls may have been set on the disclosure of information. Clause 61 authorises a participant in the PCEHR to collect, use and disclose health information of a registered consumer if the information is for the purpose of providing healthcare to the consumer and if it is in accordance with access controls set by the consumer. If there are no access controls set, then use and disclosure access is to be in accordance with ‘default access controls’ specified by the PCEHR, or if these do not exist, then access control is set by the System Operator.

It would be useful in the MSIA’s view if paragraph 61(b)(ii) actually specified what default settings would apply and that these were to be privacy compliant.[144] Neither is it appropriate, according to the AMA, that the System Operator is able to set default controls should there be no specification in PCEHR rules. The AMA argues however, that certain information should be available by default to medical practitioners and this should include pathology and diagnostic imaging results, hospital discharge summaries and medications dispensed.[145]

The Consumers’ Health Forum submission to the current Senate inquiry objects to the removal of the option for consumers to label their record ‘no access’; it acknowledges that the Concept of Operations document for the PCEHR justifies this on the grounds that it may be necessary to access information in an emergency (see the following paragraphs for discussion), but nevertheless CHF is convinced the option should be reinstated. CHF consultations found unanimous support for reinstatement with consumers describing the no access option ‘as a “deal-breaker’ in terms of their participation in the PCEHR system’.[146]

Paragraph 63(a) authorises the collection and use of information from the PCEHR system for the management or operation of the PCEHR system if consumers would ‘reasonably expect’ this to be done. However, the MSIA argues that realistically many consumers will be unaware of how the system will operate and that there is insufficient detail in this provision to engender confidence that privacy and consent to disclosure will be respected. Individuals should have a right to full disclosure of the collections of data to which others will have access and could affect the profile of the individual concerned.[147]

Paragraph 64(1)(a)(i) and(ii) allow for the disclosure of information in case of an emergency, that is if collection use or disclosure of health information is ‘necessary to lessen or prevent a serious threat to an individual’s life, health or safety’ and it is ‘unreasonable or impracticable to obtain the consumer‘s consent’. Epworth Healthcare notes that there is no definition of what would constitute a serious threat for the purposes of the legislation.[148] Some discussion and guiding principles along the lines of National Privacy Principle 6 may rectify this situation. This could be included in the definitions in clause 5 or in regulations which may later be specified; however, at present, detail is lacking.

A submission from the Royal Children’s Hospital reads into the consent issue that clause 64 would apply if a consumer was unconscious, even if the consumer has explicitly stated that he or she forbids access to parts of the PCEHR. The submission argues:

This is inconsistent with Australian medical law under which medical care cannot be forced on any competent adult. The wish of a person who states in advance that they will not receive blood products if they are dying is recognized by law. This situation is analogous [sic] with a person who states they do not want certain information in their PCEHR to be available even in an emergency.[149]

In contrast, practitioner and academic Dr Kathryn Antioch cites the case of an emergency situation during a national public health threat where it is critical that practitioners have access to entire PCEHR records in order to mitigate the crisis.[150]

Use of information for research

Clause 66 will enable identified health information to be used for research purposes if a consumer has consented. According to the Explanatory Memorandum, unlike the position under the National Privacy Principles, the PCEHR legislation will not regulate de-identified information, a position which Medibank thinks should be reversed as de-identified information should be of significant interest to medical research centres.[151] NACCHO considers on the other hand, that this requirement for consent to use identified information only should remain. This is because in NACCHO’s view unless de‑identified data is completely cleansed of all identifiable fields, persons in some Aboriginal communities may be identified and this could cause Aboriginal people to ‘abandon’ the PCEHR.[152]

The Bupa Health Dialog submission to the current Senate inquiry argues that ‘it is essential that de‑identified clinical data held in the PCEHR system is made available to organisations for secondary uses that will enable delivery of improvements in the health outcomes for all Australians’.[153] However, the Royal Australian College of General Practitioners points out, at the time a person gives consent for collection, use and disclosure of information all potential research uses cannot be known. Hence, a person is unable to give fully informed consent.[154] On the other hand, it could be argued it is likely that most expected uses of data could be covered under some form of limited disclosure agreement that could be developed after consultation with consumer and privacy groups.

Clause 69 which allows the disclosure of information to courts and tribunals is also criticised by NACCHO which, while it acknowledges the need to uphold the law, all the same believes that this aspect of the legislation could be ‘potentially used as a method to track people’s current location and travels’.[155] Medibank criticises this clause because it argues the clause does not take into account that in certain legal proceedings disclosure is required to be made directly to a party or to a prospective party to possible proceedings.[156]

The OAIC supports civil penalties for unauthorised use or disclosure of health information in the PCEHR system, where these relate to sufficiently serious misconduct. The OAIC is disturbed that under subclause 71(4) health information that was originally obtained from the PCEHR system, where such information was ‘stored in such a way that it was capable of being obtained other than by means of the PCEHR system’, and the information was obtained ‘by those other means’ is not to be subject to penalties under the legislation. Instead, existing privacy and health laws are to apply depending on the jurisdiction.[157] The OAIC’s argues that for some entities therefore, there may be no privacy law applying to consumer’s health information once it is downloaded from the PCEHR system.[158]

The OAIC is unsure of the policy reasons for this exemption. In the OAIC’s opinion, individuals have an interest in clear and consistent privacy protections applying to their health information in the PCEHR system, irrespective of where a person accesses it and how that person subsequently stores the information. This is particularly important given that the PCEHR system will transform the way in which health information is shared across jurisdictions, making it much easier for individuals’ health information to be transferred between healthcare providers.[159]

The OAIC and privacy concerns

Part 4 Division 4 of the Bill, which deals with interaction with the Privacy Act, is substantially unchanged from the Exposure Draft Bill.[160] This division in the Exposure Draft prompted considerable comment from the OAIC. Essentially, the OAIC was concerned that the clauses in this division did not sufficiently clarify the powers of the Commissioner or clearly state the relevant sections of the Privacy Act which applied in the cases of breaches of privacy.

Section 64 of the Exposure Draft Bill (clause 72 of the proposed legislation) for example stated that ‘an authorisation to use or disclose health information under this Act is also an authorisation to use or disclose the health information for the purposes of the Privacy Act’. The OAIC suggested that this clause was clarified so that uses or disclosures of health information which are authorised under the legislation fall within the ‘required or authorised by law’ exception to the National Privacy Principle 2.1’.[161]

The OAIC noted with reference to powers of the Information Commissioner, that its discussions with the Department of Health and Ageing indicated that clause 65 in the Exposure Draft, that is, clause 73 in the proposed legislation, is intended to authorise the Information Commissioner to receive complaints about an act or practice that contravenes the proposed legislation in connection with a consumer’s health information. The Commissioner can then investigate the act or practice in accordance with the OAIC’s functions and powers in Part V of the Privacy Act. However, the OAIC was concerned that the Exposure Draft clause did not specifically state this. It argued with reference to the Exposure Draft:

... the Draft Bill (and amendments to the Privacy Act) could make the Commissioner’s role in regulating contraventions of the Draft Bill more certain, particularly with regard to applying Part V and ss 13 and 13A of the Privacy Act. This Part of the Draft Bill could also set out how the civil penalty provisions are intended to interact practically with other privacy laws (including State and Territory privacy laws).[162]

Further, the OAIC considered it unclear whether the Information Commissioner could undertake an investigation under subsection 40(2) of the Privacy Act in the absence of a complaint.[163] Additionally, the OAIC considered the Information Commissioner’s power to investigate complaints about anyone who may have breached a civil penalty provision (including state or territory authorities) was also not clear in the Exposure Draft. As the substance of this clause has not changed, it can be argued that this concern continues to be valid for the proposed legislation.

A note to clause 73 refers only to the Commissioner’s power to investigate a complaint under section 36 of the Privacy Act, where a complaint has been made by an affected individual, but in the OAIC’s opinion, there are ‘strong reasons’ for allowing the Commissioner to commence his or her own investigation under subsection 40(2) of the Privacy Act in relation to possible contraventions of civil penalty provisions.[164] It notes that this power could be important given that mandatory data breach notification requirements in the proposed legislation (under Part 5) do not apply to all entities that may collect health information from the PCEHR system.[165]

In recommending clarification of the Information Commissioner’s powers, the OAIC notes that section 27A was inserted in the Privacy Act by the Healthcare Identifiers (Consequential Amendments) Act 2010 to clarify the Commissioner’s functions in relation to a contravention of that Act and that the Privacy Act could be similarly amended in relation to the PCEHR.[166]

The OAIC considered that the Exposure Draft did not make it clear whether an interference with privacy of individual as described now in clause 73 would be covered by section 13 or section 13A of the Privacy Act. Section 13 describes interferences with privacy by agencies and other entities, while section 13A describes interferences with privacy by organisations. An entity, such as an individual or a state of territory authority, which contravenes the privacy of an individual may, however, be one not defined in the Privacy Act. The OAIC suggests therefore that greater certainty could be achieved by stating when a contravention would be an interference with the privacy of an individual under either section 13 or section 13A of the Privacy Act.[167]

According to the OAIC, another effect of what is now proposed clause 73 would be that some uses or disclosures that are permissible under an exception to the National Privacy Principles would be ‘interferences with privacy’ under sections 13 and 13A of the Privacy Act. For example, under National Privacy Principle 2.1(d), a healthcare provider organisation covered by the Privacy Act could disclose health information for research purposes in certain circumstances.[168] However, for health information included in a consumer’s PCEHR, such a disclosure may in fact be an ‘interference with privacy’ for the purposes of the Privacy Act as it is not specifically authorised in Part 4, division 2 of the proposed legislation.

The OAIC expressed further concern that there was inconsistency between the proposed legislation and the Privacy Act, given that sections 13 and 13A of the Privacy Act prescribe acts or practices that interfere with the privacy of an individual, rather than the privacy of a consumer as stated in clause 73. For greater certainty, the OAIC proposes therefore, that its investigative powers are clarified in the Bill and the Explanatory Memorandum.[169]

Complaints handling processes in the Exposure Draft needed to be clarified according to the OAIC, but it does not appear that the proposed Bill has attempted to do this. However, the OAIC understood from discussion with the Department of Health and Ageing:

... that consumers will be encouraged to raise any privacy complaints with the System Operator in the first instance, before such complaints are escalated to an appropriate privacy regulator. Based upon the Commissioner’s experience as a privacy regulator, this procedure will help to ensure that complaints are resolved as quickly as possible, while also preserving the relationship between consumers and PCEHR participants to the extent possible. However, in the OAIC’s opinion, this procedure should not override privacy regulators’ discretion to decide to investigate a complaint in the absence of an initial complaint to the System Operator.[170]

In its submission to the Senate inquiry the OAIC stressed a similar point arguing once again that clarification is necessary in and listing what it sees are minimum complaints handling requirements, such as what constitutes the complaints referral process and whether an individual must first complain to a respondent before making a complaint to the System Operator of the OAIC. [171]

Secondly, the OAIC noted that the Exposure draft and its companion document did not clarify the process for a privacy regulator to refer a complaint to another privacy regulator. It suggested therefore that PCEHR legislation allow that an individual should make a privacy complaint to the System Operator in the first instance before such a complaint is escalated to a privacy regulator. Regulators should also be allowed to decide to receive complaints in the absence of an initial complaint.[172]

In effect, as its submission to the current Senate inquiry indicates:

The OAIC believes that the interaction between the PCEHR Bill and the Privacy Act remains uncertain in several aspects. Initially, greater clarity could be achieved by amending the

Privacy Act to confirm that the Information Commissioner may investigate anyone who may have contravened a civil penalty provision in the PCEHR Bill (even if that person would otherwise be exempt under the Privacy Act).[173]

Part 5—other civil penalties

Part 5 of this Bill sets out civil penalties for breaches in the use of the PCEHR and non-compliance with requirements imposed under the PCEHR system.

The AMA finds the requirement in clause 74(1) that requires authorised users who access a PCEHR to notify the System Operator on each occasion they do so, to be ‘a new and burdensome responsibility on already busy practices’.[174] The Explanatory Memorandum sees this requirement as essential in enabling the System Operator to maintain a comprehensive access audit trail. It argues in defence of this requirement that healthcare organisations are best placed to ensure that their IT systems are configured to provide the necessary information to the System Operator.[175] But the AMA argues there is no assurance ‘IT systems configured in this way will be tested, proven and widely available when the PCEHR is launched’. It recommends thereof that these penalty provisions should not commence until such systems are available at a reasonable price.[176]

Part 6—civil penalty supporting provisions

Part 6 of this Bill describes the details of how the civil penalties will be applied.

Part 7—voluntary enforceable undertakings and injunctions

Part 7 of this Bill sets out how voluntary undertaking will be used as part of the PCEHR system to improve compliance with obligations.

Under clause 75 of the Bill, the System Operator, registered repository operators and registered portal operators will be generally required to notify data breaches to the System Operator, and in some cases the Information Commissioner, and to take certain steps after becoming aware of the breach. The OAIC considered other entities, such as registered healthcare provider organisations, should also be subject to data breach notification provisions. This would ensure, for example, that the System Operator could be made aware of a data breach (or potential data breach) known to a healthcare provider organisation and improve the operator’s ability to respond to, or contain the breach.[177]

In the OAIC’s opinion, the Information Commissioner’s power to investigate an alleged breach of the data breach notification provisions under clause 75 may also be unclear in some circumstances. For example, if an entity fails to notify the Commissioner of a data breach, and the breach is not ‘in connection with a consumer’s health information included in a registered consumer’s PCEHR’, the Commissioner may not have the power under clause 73 to investigate this contravention. The OAIC also notes that the Information Commissioner has been given no additional power to advise and assist persons after they have notified the office of a data breach. It suggests therefore that the legislation includes clarification of what powers it is intended that Commissioner have in relation to investigation of alleged contraventions of the civil penalty provisions and to provide advice to complainants.[178]

There appear to be no significant concerns about the remaining provisions dealing with penalties, apart from the Royal Australasian College of Physicians questioning of the wording in paragraph 90 (1)(d) and the Australian Association of Pathology Practices (AAPP) arguing that the penalties are ‘steep’. The RACP seeks clarification of the term‘party to’ in relation to the contravention of a civil penalty provision. It is not clear in the College’s opinion what level of knowledge would be required for a person to be party to a contravention.[179] The AAPP considers penalties of $66 000 plus criminal penalties represent substantial risks for providers.[180]

In relation to these types of concerns, the Explanatory Memorandum makes the point that the voluntary enforceable undertakings in Part 7 of the proposed legislation ‘are a key element of the graduated responses available under the Bill. They can be used as an effective control of behaviour and can result in systemic changes being made’.[181] It could be argued on the other hand that given the sensitivity of the information involved in the PCEHR that penalties may not represent a sufficiently adequate deterrent.

Part 8—other matters

Part 8 of this Bill allows for PCEHR rules and regulations to be made. It also provides details of reporting and review requirements for the system, the treatment of certain participating entities and allows for the delegation of certain powers.

As noted earlier in this digest, clause 97, which lists the types of decisions made by the System Operator that are subject to review, has caused some concern amongst stakeholders. This is because there does not appear to be a means through which people can complain about the System Operator itself.[182] Concerns about clause 98 may yet be expressed along similar lines. Subclause 98(1) allows the System Operator, if it is the Secretary of the Department of Health and Ageing, to delegate ‘one or more of his or her function and powers’ to employees of the Department , the Chief Executive Medicare and other person (with the consent of the Minister). Given the sensitivity of information to be divulged to unknown bureaucrats, at as yet undisclosed levels within the Department of Health, and with the sole discretion of the Department Secretary, it would appear that there needs to be more stringent requirements on what employees of DoHA should be able to access consumer information.

Indeed, the APF finds it unacceptable that critical privacy protection may be in delegated legislation:

All protections must be in statutes, in order to ensure that they have been considered and directly expressed by the Parliament. Delegating them to statutory instruments makes them appear unimportant. It also risks them never being delivered, and enables the protections to be readily compromised by subsequent amendments that can be processed without publicity and without consideration by the Committee process or the Parliament.

In short, the credibility of such protections as are being proposed is shot to ribbons by the failure to put them high on the agenda. The Department is greatly undermining its own scheme by its intransigence on this matter alone.[183]

The ADA objects to clause 99. According to the Explanatory Memorandum, this clause ensures that the Bill’s authorisations extend to employees, contracted service provider and contractors of those organisations where appropriate.[184] The ADA is of the view, however, that this clause:

... will result in additional risks for employers and insurers and consequently increased costs for specialists, patients and taxpayers. The prospect of these costs and risks may inhibit support for [the] PCEHR by clinicians.[185]

Clause 109 states that the Minister may, by legislative instrument, make rules ‘about matters required or permitted by this Act’. Subclause 109(2) says that the Minister must consult the Jurisdictional Advisory Committee, before making rules, but failure to do so does not invalidate any rules subsequently made. The Pharmacy Guild is unhappy that only the Jurisdictional Committee is to be consulted in the making of rules process. It asks why technical experts are not to be consulted given that it is suggested that rules may relate to technical specifications (subclause 109(4)).

Opt in, that is people choose to register to have a PCEHR, or Opt out, that is people who do not wish to have a PCEHR request to be excluded from the system

- Most stakeholders consider the Government’s option to make the PCEHR system opt in is a mistake because it will be difficult to reach a critical mass of participants. This in turn, will make the system more costly, and patients will miss out on the potential benefits from the system.

- Those who argue for opt in consider that the option will ensure that consumers have more confidence in the system if registration is voluntary.

Consumer control

- Those in favour of more consumer control over records in the PCEHR note that the intention of the system is implicit in its title—a personally controlled records system. They consider consumers will not be confident in the system unless they are able to impose controls on who can access information in their records. They are concerned that a no access control option has been removed from the current Bill.

- Opposition to this view mostly comes from health professions who are concerned that practitioners will be denied access to information which is relevant to the treatment of patients and from accessing information to deal with health emergencies.

Who can be a healthcare provider

- A number of the health professions are concerned that they will not be eligible to be nominated as a healthcare provider. They argue that their services are just as essential to overall patient health as those of medical practitioners, nurses and certain aboriginal health workers, those professions currently eligible.

Government stewardship of private information

- Most stakeholders are concerned about the extent to which bureaucrats in the Department of Health and Ageing will exercise control, at least initially, over the PCEHR system. Objections have been raised also that the System Operator will not be required to take the advice of advisory committees or to provide reasons why it has chosen not to do so.

- The Department of Health and Ageing argues that it is not unusual for the Secretary of the Department to have such power and that placing the administrative machinery of the PCEHR in the hands of a responsible government agency will ensure appropriate governance of the system is achieved.

Rules and regulations

- Many stakeholders are concerned that rules and regulations which will accompany this legislation have yet to be revealed; that in fact there is no real indication of how the system will operate in practice. They consider that draft regulations should have been released in conjunction with the primary legislation.

Financial incentives

- Health organisations and health practitioners, particularly medical practitioners, are unhappy that the Government will not provide financial incentives to assist them in converting systems and establishing records for patients. Practitioners complain also about the overall burden of administration the PCEHR will impose on their practices and organisations.

Timing and limited capabilities of the system

- Medical software organisations in particular are concerned that the PCEHR system is being rushed into operation. They believe that more work needs to be done to ensure that the components of the system function effectively before implementation. They consider the date proposed for implementation should be delayed until the full functionality of the system can be guaranteed.

Risks from breaches of the system

- Some practitioners are concerned that the penalties for breaches of the system are too high and that they will be punished unjustly for unintended breaches.

Privacy

- Many stakeholders have stressed that ensuring privacy issues are adequately addressed is fundamental to achieving community trust in the PCEHR system. A general consensus is that without consumer confidence the system will not succeed.

- Government agencies argue that provisions in the legislation will ensure the privacy of individuals through technical controls, effective and transparent governance and legal protections.

- Opposition to this view notes the potential conflict of interest that may arise from handling of private health information by bureaucrats. Concerns continue to be raised also about how secure consumer health information will be within the PCEHR system, particularly in light of concomitant concerns about possible flaws in the design and proposed function of the system.

As has been revealed throughout this digest, there are a number of bottom line key issues in relation to the PCEHR upon which the various stakeholders have commented.

For consumer organisations, that the PCEHR ensures the protection of the privacy of individuals is paramount to all consideration of the system. Hence, these groups argue that the PCEHR cannot be successful unless it first and foremost serves the interests of health consumers. They consider that if the system is to do so, there must be assurances that consumers will participate in the system governance, that its administration and operation will be transparent and accountable and that consumers will have access to, and ultimate control of their health information.

Other stakeholders argue that privacy must be compromised in some instances to ensure the efficient operation of the PCEHR. Medical professionals view consumer control as dangerous—both from the perspective that important information may not be available to them to deliver effective treatment and for medico legal reasons.

Further to these concerns, for consumer groups (and, indeed many stakeholders), there is the issue of what will actually be in rules and regulations which accompany the Bill (once enacted). While it is usual for regulations to be made following the passage of legislation, in this instance it may have been circumspect to have produced a companion document detailing proposed rules and regulations, given that sensitive information relating to all Australians is the ultimate focus of the legislation. Previewing such rules and regulations may have alleviated some of the more important concerns which have been expressed about the privacy of individuals generally and the potential lack of accountability, specifically that of the principal PCEHR administrator, the System Operator.

While it is not strictly the subject of this digest, concerns about how the technical aspects of the PCEHR system will function and, indeed, whether they will actually function, have been raised in submissions to the Exposure Draft legislation, to the Senate inquiry into this Bill and in other instances and these represent a bottom line in terms of whether Australia has taken the right approach to e health records.[186]

Concerns have been raised by the medical software industry about the overall design of the PCEHR system and consumers and medical professionals have also expressed disquiet about certain aspects. As this digest has noted in passing, there have been complains from industry ranging from accusations of ineffective oversight and failure of administrators to acknowledge design flaws, to warnings that the system will not succeed because its implementation has been ill considered and rushed. In terms of rushing the implementation of the system for instance, disquiet over the role of the System Operator noted in the previous paragraph may have been dispelled if time were available to establish a specific body for this purpose before the system is implemented. As noted in the Parliamentary Library paper on e health, taking time to get the whole system right has worked well in jurisdictions such as Denmark where a series of strategies for an overall e health system have been progressively shaping implementation and engaging health professionals and consumers.

The PCEHR Bill has attempted to address the issues which stakeholders have indicated are critical to their acceptance of the PCEHR and it is clear that consultations have produced some concessions and changes to the original PCEHR proposals. However, despite these compromises there continues to be uncertainty surrounding how the privacy applications and administrative and technical machinery of the PCEHR system will affect those who provide it, those who consume it and those who monitor it. As such, the potential for the system to improve health outcomes, a claim which is rarely questioned, has become almost a secondary consideration in discussions of the PCEHR.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2429.

[22]. For example, the Medical software Association of Australia (late) submission to the Senate Committee and noted that ‘in lieu of answers to Questions on Notice it had been forced to use the Department’s submission in compiling its paper, Medical Software Industry Association (MSIA), Submission to the Senate Community Affairs Committee, Inquiry into the provisions of the Personally Controlled Electronic Health Records Bill 2011 [and one related Bill], 2012, viewed 24 February 2012, https://senate.aph.gov.au/submissions/comittees/viewdocument.aspx?id=d55e2da1-2e4e-4908-affc-a4de67887102

[28]. Australian Medical Association (AMA), Submission to the Department of Health and Ageing on the draft concept of operations relating to the introduction of a personally controlled electronic health record system, 31 May 2011, viewed 25 August 2011, http://ama.com.au/node/6777

[52]. Note for example that in an answer to a Senate Estimates question from October 2011, the Department of Health and Ageing has recently stated the following: Although the timeframe for implementation of the PCEHR system is short, the Accenture led consortium [the Government’s National Infrastructure Partner] demonstrated its experience and capability to deliver the PCEHR system within the short timeframes to an independent tender panel. Accenture also led the program which successfully delivered Singapore’s National Electronic Health Record (NEHR) system in 2010-2011. Accenture were awarded the contract in June 2010, with the first phase elements of the NEHR going live on 30 April 2011. This project was delivered within a 12 month period and is considered to be a highly successful implementation’. Senate Community Affairs Committee, Answers to Questions on Notice, Health and Ageing Portfolio, Supplementary Estimates 2011–12, 19 October 2011, Question E11–467.

[95]. Section 14 of the PCEHR Bill and the definition of ‘agency’ in section 6(1) of the Privacy Act and the definition of ‘organisation’ in section 6C of the Privacy Act. Office of the Australian Information Commissioner (OAIC), Submission to the Senate Community Affairs Committee, Inquiryinto the Personally Controlled Electronic Health Records Bill 2011 [and one related Bill], 12 January 2012, viewed 31 January 2012, http://www.aph.gov.au/Senate/committee/clac_ctte/pers_cont_elect_health_rec_11/submissions.htm

[106]. CHF noted in its submission to the Senate inquiry that it too was pleased with the representation of consumers on the Advisory Committee. The CHF added, however, that it was concerned that this Bill did not provide detail on how consumer representatives would be appointed, CHF Submission to Senate inquiry, op. cit.

[160]. Note: only an addition has been made to clause 73, which is: ‘or would contravene this Act but for a requirement relating to the state of mind of a person’. The clause previously read ‘An act or practice that contravenes this Act in connection with health information included in a consumer’s PCEHR is taken to be: for the purposes of the Privacy Act 1988, an interference with the privacy of the consumer; and (b) covered by section 13 or 13A of that Act, as applicable’. Note: An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.

[161]. National Privacy Principle 2.1 states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless one of a number of exceptions listed applies. The exceptions include where the ‘use or disclosure is required or authorised by or under law’, viewed 14 December 2011, http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/sch3.html

[163]. Section 40(2) of the Privacy Act: ‘the Commissioner may investigate an act or practice if (a) the act or practice may be an interference with the privacy of an individual; and (b) the Commissioner thinks it is desirable that the act or practice be investigated.’

[164]. Section 36(1) of the Privacy Act states ‘subject to subsection (1A), an individual may complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of the individual.’ Section 402) says that the Commissioner ‘may investigate an act or practice if: (a) the act or practice may be an interference with the privacy of an individual; and (b) the Commissioner thinks it is desirable that the act or practice be investigated’. Viewed 14 December 2011, see http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s36.html

[166]. Section 27A states that ‘in addition to the functions under sections 27, 28 and 28A, the Commissioner has the following functions in relation to healthcare identifiers: (a) to investigate an act or practice that may be an interference with the privacy of an individual under subsection 29(1) of the Healthcare Identifiers Act 2010 and, if the Commissioner considers it appropriate to do so, to attempt by conciliation, to effect a settlement of the matters that gave rise to the investigation; (b) to do anything incidental or conducive to the performance of that function’.

[168]. Under NPP 2.1(d) an organisation may use or disclose personal information about an individual for a purpose other than the primary purpose of collection where the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety: (i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and (ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and (iii) in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information or personal information derived from the health information.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Feedback is welcome and may be provided to: web.library@aph.gov.au. Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Entry Point for referral.